Although the vast majority of businesses today are aware of the dangers of cyber crime, too many acknowledge that they are not really effective at preventing breaches and other security events, and are not confident in their ability to recognise that a breach is taking place. Security, and how to improve it, remains at the top of the CIO’s list of priorities.
So says Simon Campbell-Young, MD of Credence Security, who explains that there are a number of problems facing organisations who are trying to improve their security posture. “The first that comes to mind, is that too many organisations rely on their own security teams to test their security solutions. Very few have the ability to conduct proper penetration testing to the level where it can truly identify any vulnerabilities in the security chain. Businesses need to rely on outside experts, whose sole function and area of expertise is to perform these tasks. Pen testing, threat intelligence analysis, thorough security audits – these should be left to the experts.”
The next issue, he says, is that security isn’t keeping up with the pace of big data and digital transformation. “As businesses embark on a digital journey, creating massive data silos, moving to the cloud, and harnessing the power of social media, analytics and the Internet of Things (IoT), they are exposing themselves to a slew of new risks they are unprepared for. As businesses change, so does the threat landscape, and unfortunately, security solutions and strategies aren’t keeping up. They need to adapt security strategies to meet these changes.”
Further to this point, Campbell-Young says that businesses are unprepared, and don’t have real idea of what the implications of a breach could be. “Companies rely heavily on technology these days. A successful breach could shut down the business from a few hours, to a few weeks, depending on how ready it is to handle the crisis. A business needs to understand what the implications of a breach really are, including financial, legal and reputational. Once they have a grip on this, they need to decide on their ‘appetite’ for risk, and allocate security resources appropriately.”
And this can’t happen unless they truly understand what data they have, and where it resides, he continues. “An organisation needs to classify its data sets, and decide which is the most valuable or sensitive data, and protect those data assets first. Data such as intellectual property, proprietary company data, customer data and financial data needs to be guarded first, and most carefully. Further to this, they need to ensure the principle of least privilege is enforced, and keep up to date with who has access to what, bearing in mind shifts among staff in the business.”
Another reason companies fail at security, is because they do not have a proper crisis management strategy or plan in place. “They are simply not prepared, and should a security event occur, they have no idea where to start, or what to do. A plan must be formulated, and all parties involved need to be fully aware of what their role is, and in what order the steps must be carried out. All parties and stakeholders involved need to work together, to design a plan that flows, and works in the event of a breach. There are legal ramifications too, and certain obligations in terms of disclosure, and notifications should sensitive data be exposed.”
Campbell-Young says throwing money at security solutions doesn’t solve all the problems. Being cyber resilient isn’t about having the top tools and solutions in place alone. It’s about backing up products with other measures to fully cover the business in the event of an incident.